Microsoft issues workaround for Internet Explorer bug

SAN FRANCISCO — While a patch has not yet been issued, Microsoft has posted instructions on how users can protect the two most recent versions of Internet Explorer against a security flaw announced over the weekend.

The security flaw allows attackers to slip malicious code into an innocuous website, using a compromised file.

When a victim visits the tainted website using any of the Internet Explorer web browsers versions 6 through 11, attackers could gain full user rights over the victim's computer — and potentially all information on it.

The security flaw led the U.S. Department of Homeland Security's Computer Emergency Readiness Team on Monday to advise Americans to switch to a different browser until it's corrected.

US-CERT has since reviewed its recommendation and now suggests users and administrators make use of the Microsoft security workarounds.

Microsoft's updated information about the vulnerability includes information on an Enhanced Protected Mode workaround that will protect people using Internet Explorer 10 and 11, the two most recent versions of the web browser.

However the fix is somewhat technically complex and it's unclear how many users will actually implement it, given how few do even routine maintenance on their computer's security systems.

"Implementing Microsoft's recommendations will be tough," said Chris Camejo, director of assessment services at NTT Com Security, in Bloomfield, Conn.

"They require changing settings on individual affected systems," he said. "Many of Microsoft's workarounds would also disable functions like ActiveX controls that could affect the usability of some web pages," he said.

Camejo's sense is that, "given the complexity and impact of Microsoft's workarounds, I suspect many organizations are just going to wait until the patch gets released and hope they don't get breached in the meantime."

The IE vulnerability is a big deal, said Will Dormann, vulnerability analyst in the CERT Division of the Carnegie Mellon University Software Engineering Institute in Pittsburgh, Pa.

"First, the vulnerability affects all supported versions of Internet Explorer, which is present on nearly every Microsoft Windows system," he said.

In addition, the fact that the world has now been alerted to the security flaw means hackers are more likely to "switch from targeted attacks to more widespread attacks. Once news of a vulnerability is made public, attackers don't have much reason to try to keep it secret anymore," he said.

Carnegie Mellon's CERT team has posted further instructions on how users can protect their computers against the flaw.

Users still running the Windows XP operating system are especially at risk, experts note. Even Homeland Security weighed in. "Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser," it said in a posting.

Windows XP was first launched in 2001. Microsoft stopped supporting it on April 8. Because of that, computers running the system no longer have access to security upgrades.

The security flaw "is a problem for IE users, but even more so since XP users won't get updates," said Dodi Glenn of ThreatTrack Security, a computer security company in Clearwater, Fla.

"From a security standpoint, I have to wonder, how long will users be willing to keep a vulnerable operating system on their network before deciding to upgrade?"